Major Antimalware Companies are Being Compromised: Now is the Time to Evaluate Your Security Layers

Share:

Antivirus and Antimalware solutions are designed to protect computer and servers from becoming victims of bad actors (aka hackers). The entire purpose of these solutions is to provide protection, security, and assurance that your machines are safe. Antimalware solutions are considered an essential or basic part of every person’s and business’s computer security. Other than security experts who have their own ideas on protecting their own machines, it is recommended by just about everyone to have antimalware solutions on computers as a rule.

Think about it, antimalware tools might be the ultimate applications. They are installed on a large percentage of computers across the world, they require access to all files to work, and they are trusted. But they can also be used as a backdoor into computers and workstations.

In the news this week, three major US players in the antimalware software game may have all fallen victim to being compromised. Symantec Antivirus, Trend Micro, and McAfee all have been rumored to have been compromised. As of the posting of this article, Symantec has denied any breach, McAfee has said they are investigating the situation, and Trend Micro admits some non-critical data has likely been compromised.

Whether these companies were breached, or critical data was taken, we may or may not find out in the near future. What we do know is no company nor data is safe. RSA which was and may still be considered one of the leaders in digital risk management and cybersecurity solutions including dual factor authentication tools was compromised a few years ago.

Is the answer to switch antimalware solutions? Or, stop using them anyway since they offer backdoors into your systems? No, not at all. These incidents simply reinforce the need for layers of security protection. Many businesses and people on personal computers say, “well I have antimalware software installed, what else can I do?” The reality is this comparable to asking, “I put a door on my house, what else can I do.?” On your house, you don’t stop at the door; you add door locks, deadbolts, security systems, cameras, etc. You must do the same with cybersecurity. There isn’t a buy one fits all option.

It’s time to look for solutions that augment your standard antimalware solution. This can include solutions that look at behavioral characteristics of your network above and beyond antimalware’s traditional signature method. Another great solution is to add honeypots to your infrastructure with appropriate alerting built in. In one of the articles sourced for this blog, the publication captured dialog between the bad actors in a chat log. Within that dialog, the few lines below reveal the bad actors are using products that are used by employees:

“their network defense does not see us b/c TeamViewer and AnyDesk are legit software, and admins also use it there. That is why no questions (about their remotely moving around the network).”

“no, you can only move laterally via credentialed net shares or RDP”

Please note, these logs are translated from Russian and the English translation might sound awkward. Basically, the bad actors will use things like RDP, which almost all institutions utilize, plus some other applications that may be more specific to each individual business. To make a long story short, these guys are smart and navigate your network with the same tools your employees use. This is known as living off the land.

On average, it takes organizations 200 days or more to learn that they have been breached. The longer a bad actor has access to a network, the more damage they can inflict.

However, what if there were folders, servers, and databases on your network that were accessible via RDP or other technologies, but they served no business purpose? These assets would serve as bait for the bad actors. Suddenly, you can identify the traffic as likely snooping and not normal activities. This is the beauty of honeypots. It helps isolate suspicious traffic from normal activity based on the interest in the material, not the method of accessing it.

It is always important to keep up with the latest news about cybersecurity. If you use one of these solutions, be sure to keep up with the latest news from the company. If you don’t use one of these companies, you could be next. Stay vigilant as every company is one nightmare away from having a breach, including yours. In the meantime, evaluate the layers you have in place. Heavily consider some type of honeypot solution, as it might be one of the few solutions that can catch true covert snooping. As always, Safe Systems is here to help evaluate the layers you have in place to help ensure you have the extra protection.